73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
295s
platform
windows10-1703_x64
resource
win10-20231220-ja
resource tags

arch:x64arch:x86image:win10-20231220-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
14/02/2024, 04:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
600	b2e.exe
3012	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3012	cpuminer-sse2.exe
3012	cpuminer-sse2.exe
3012	cpuminer-sse2.exe
3012	cpuminer-sse2.exe
3012	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4496-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4496 wrote to memory of 600	4496	batexe.exe	75
PID 4496 wrote to memory of 600	4496	batexe.exe	75
PID 4496 wrote to memory of 600	4496	batexe.exe	75
PID 600 wrote to memory of 3080	600	b2e.exe	76
PID 600 wrote to memory of 3080	600	b2e.exe	76
PID 600 wrote to memory of 3080	600	b2e.exe	76
PID 3080 wrote to memory of 3012	3080	cmd.exe	79
PID 3080 wrote to memory of 3012	3080	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4496
- C:\Users\Admin\AppData\Local\Temp\9153.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\9153.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\9153.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9357.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3080
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9153.tmp\b2e.exe

Filesize
4.9MB

MD5
d30c191aedd38f89ee7f642113d61899

SHA1
5c0fb4f75c4ef79022214c5ecdba5a5aadb6928e

SHA256
07e352485318c1b2e0842263010656bb612df3e3a14a94df585d2ec1a0925c01

SHA512
0155823cf9e6a3e404f96de774b390f917cce84dcd72c10069b55f62c45a073c7f1e00900f5dfae23f3e2a33cae8acaad0b1127ba2356e4660d9d8b69ff4e208

Download Submit
C:\Users\Admin\AppData\Local\Temp\9153.tmp\b2e.exe

Filesize
5.1MB

MD5
e2a0caf06635a212d6b531e8f44ab0de

SHA1
509ab7ef55a284e76e654b384753e6c8bf75f88f

SHA256
52275c328bee8abca37ac8bc0a5064130bd2ebf28a157dafca5e2c97b4d53e78

SHA512
f5773a02bab0044e861158f9d189b380a0675c0ebf4fa938f01b2d055f6d7d65215542ea45d41d8148db2ea3199c34b433198ef5e081ba3fa30903b18af56c54

Download Submit
C:\Users\Admin\AppData\Local\Temp\9357.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
640KB

MD5
0f6af9e19fa927d88313e98d54420920

SHA1
0aff9c72864126107d6c630aafb9ed6512042afd

SHA256
71661d7077b93e2a5e53d7093e532bec1b66d34e3929bcb314eab7f431b84734

SHA512
bba078e2f4eb5ca45956657356f7419767a81679f34d9991bf28a1d44e412340d1002517f74a15583ffe20b32f1f25b60c47f4581100552dc1e651b3f88547be

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
781KB

MD5
8f2ecc12668fed0df06e98d1f3f53349

SHA1
c5dc2615f2b39d6b9bf74ecf4c5f522a4036f585

SHA256
ecb2c12f9305b082573d93b74a3aa8a5589d097f94dcc6308a24adf979dad7da

SHA512
2a30556bb1a92a7878de9e96c4f6758ad7680e8dbf4d0b4ac523adcb6b45d6f119bf585dd7b8ba3dd1bcd46f7d455ca2c7e827e7ef2723875c7c0a9c6b2e542c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
822KB

MD5
0ad0440959b99d98b9c836dc203f0189

SHA1
31e90c552d7f0d64f2d6a7a6cbf084b06c174024

SHA256
569262d91b9fea29b4765e3d9d9ab20d26d88cd62830799672ba5f08a96d57f5

SHA512
e08a930b41b923a44efdd6ff0a5525922d5e73a61c56be489663c47e722c3dd052660810756020d35038a3a75703e9b02974c14e456ecbd36b7cae3f4e2d8810

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
660KB

MD5
0bfb8bc6a7761a090c4335ff795c6671

SHA1
982ee59d90de594aeeadcccd17104ba43d99a496

SHA256
363f011b2c7c6c8e87972c7def7ab12c0d0914559184fe2888e36afc9231bcb8

SHA512
3849955c0a43e465318272ec4ec4cc9aa3892775452158726998ebeff8c75cbc22dce2adcc6acc1c7ddca311dd5664610e098bd8505894dd0ad885d5578b7fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
492KB

MD5
5bd9c988edda0ffeaaee0831fc197712

SHA1
7fb6a153c506b3cb08a3386a1c393202f673fb05

SHA256
13d5a2afc6f53ba4649dd785c34745c6baae4d8a2fb4c8015442604115dc4491

SHA512
aa4a036b76649e819f106da53ed6d81ac79e42843e1f22acfe0f51d9e509d8e728a8f76554bae5cda327ff0480a2853d723bd371907821a0d2b794dff0b29c10

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
590KB

MD5
7149519ad7a56f72ad6877227a2f8cab

SHA1
2904c567dacbbedc27fb6da45c8f7cfdba8ad6cc

SHA256
e80d361698bb0620c41f82f0764694b6553e500cc57a84e2860c832af5679bf9

SHA512
f0abb43fdce9ea64f51de6a03fee16c660976f935dbe662b70332b312695da42b8fcc78114762683b41b5987445ad7635ee08a14c38cc4298ea4c85b9f6aaffc

Download Submit
\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
721KB

MD5
52858b16385e3153be520527b8e82cb7

SHA1
98dccbf7ec8c0cb5134b01f08fe2c5e95785d50e

SHA256
55c4c583391477a5cbe8d9460a5721591394a38b61aacb40abcdbc46e6f75583

SHA512
73bf3430795eccc51a333db7865389d6aa5b1b3e09aae88127f00cb4abca8a12d77027131e8730e6d754252a7f83915636a8ba755f77d0d2784ce1be31fe492f

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1008KB

MD5
949b39af6b82992b5778ab51d22870ea

SHA1
27f87fc5b21ca11b90e8d79b6ffccad343bfbbeb

SHA256
d619d266bcc1fb48e17d6f196c7ef684113c211a973f9d770659873b1dce57d4

SHA512
4103e8229d77926c46abfc114ead36c6f8db352b215f2a457b80ff8aa517370a7e79592c7220db60dbc8b5dbdbd1b143921730863f4e07913333b4643a963efc

Download Submit
\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
786KB

MD5
f1b2847d8149f04c268270423d53640a

SHA1
72df943ad30d2c281a63b46ac3d29aa43c63552c

SHA256
7c75fc86f5f18647547c427521295c28934729ec1527210abbe6b4a5de1e307e

SHA512
308c7f0370ae0a25ca6297f917be9a3d161fd2a4e48464c1116caf884f95a519476ffe05d148e2e46fc7aaab9e31194994747b8716af28ff53b22fcb82be7a89

Download Submit
\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/600-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/600-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3012-42-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3012-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3012-43-0x000000006F0E0000-0x000000006F178000-memory.dmp

Filesize
608KB

Download
memory/3012-41-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3012-44-0x0000000001110000-0x00000000029C5000-memory.dmp

Filesize
24.7MB

Download
memory/3012-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3012-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3012-40-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3012-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3012-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3012-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3012-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3012-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3012-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3012-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4496-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download